Skip to content

[Port dspace-9_x] Bump @angular/* framework packages to 20.3.25 (security)#5958

Merged
tdonohue merged 1 commit into
DSpace:dspace-9_xfrom
tdonohue:port_5859_to_9x
Jul 14, 2026
Merged

[Port dspace-9_x] Bump @angular/* framework packages to 20.3.25 (security)#5958
tdonohue merged 1 commit into
DSpace:dspace-9_xfrom
tdonohue:port_5859_to_9x

Conversation

@tdonohue

Copy link
Copy Markdown
Member

Manual backport of #5859 by @bram-atmire to dspace-9_x.

Combined Angular framework bump from 20.3.24 to 20.3.25, addressing the
security advisories that Dependabot raised as three separate, individually
unmergeable PRs (DSpace#5850 @angular/core, DSpace#5851 @angular/compiler,

Angular peer dependencies require every @angular/* framework package to be
the exact same version, so bumping one package at a time fails npm install
with ERESOLVE. This bumps the whole peer-locked family together:
animations, common, compiler, core, forms, localize, platform-browser,
platform-browser-dynamic, platform-server, router, and compiler-cli
(compiler-cli has an exact peer on compiler, so it must move in lockstep).

The package-lock.json also picks up a few in-range transitive patch
refreshes in the mirador/react subtree (react-rnd, notistack, goober,
clsx) as a byproduct of npm reconciling the lock. Verified with npm ci.

Advisories resolved (fixed in 20.3.25):
- GHSA-rgjc-h3x7-9mwg (High)  @angular/core: hydration DOM clobbering and
  response-cache poisoning
- GHSA-39pv-4j6c-2g6v (High)  @angular/common: weak 32-bit cache key in
  HttpTransferCache, cross-request data leakage
- GHSA-48r7-hpm6-gfxm (High)  @angular/common: DoS via OOM in formatDate
- GHSA-58w9-8g37-x9v5 (Med)   @angular/compiler: two-way binding
  sanitization bypass (XSS)
@tdonohue tdonohue added this to the 9.4 milestone Jul 14, 2026
@tdonohue tdonohue added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 14, 2026
@tdonohue tdonohue moved this to 👍 Reviewer Approved in DSpace Maintenance (10.x, 9.x, 8.x) Jul 14, 2026
@tdonohue

Copy link
Copy Markdown
Member Author

👍 This PR is already running well on main and dspace-10_x. Merging immediately

@tdonohue
tdonohue merged commit 5542d50 into DSpace:dspace-9_x Jul 14, 2026
16 checks passed
@github-project-automation github-project-automation Bot moved this from 👍 Reviewer Approved to ✅ Done in DSpace Maintenance (10.x, 9.x, 8.x) Jul 14, 2026
@tdonohue
tdonohue deleted the port_5859_to_9x branch July 14, 2026 20:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

Development

Successfully merging this pull request may close these issues.

2 participants